{ config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; has-secret-files = hasAttr "files" config.fudo.secrets; try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null; in { config = mkIf has-secret-files (let keytab-file = try-attr hostname config.fudo.secrets.files.host-keytabs; in mkIf (keytab-file != null) { ## This doesn't seem to work...timing? # environment.etc."krb5.keytab" = mkIf (keytab-file != null) { # source = # config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file; # user = "root"; # group = "root"; # mode = "0400"; # }; systemd = let host-keytab = config.fudo.secrets.host-secrets.${hostname}.host-keytab.target-file; in { paths."${hostname}-keytab-watcher" = { wantedBy = [ "default.target" ]; description = "Watch host keytab for changes."; pathConfig = { PathChanged = host-keytab; Unit = "${hostname}-keytab-watcher.service"; }; }; services = { "${hostname}-keytab-watcher" = { description = "When host keytab is available or changed, activate copy job."; path = with pkgs; [ systemd ]; serviceConfig = { Type = "oneshot"; }; script = "systemctl restart ${hostname}-copy-keytab.service"; }; "${hostname}-copy-keytab" = { description = "Copy the host krb5.keytab into place once it's available."; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStart = pkgs.writeShellScript "${hostname}-copy-keytab.sh" '' [ -f ${host-keytab} ] || exit 1 [ -f /etc/krb5.keytab ] && rm /etc/krb5.keytab cp ${host-keytab} /etc/krb5.keytab chown root:root /etc/krb5.keytab chmod 0400 /etc/krb5.keytab ''; ExecStop = pkgs.writeShellScript "${hostname}-remove-keytab.sh" '' rm -f /etc/krb5.keytab ''; }; }; }; }; fudo.secrets.host-secrets.${hostname}.host-keytab = mkIf (keytab-file != null) { source-file = keytab-file; target-file = "/run/kerberos/krb5.keytab"; user = "root"; }; }); }